Past Gen RNG Research

i can get to all 24 via pokegen, though. i was able to get it to show me 16 without the nationall pokedex, so that may be the limit. kaph found a save past the part that was freezing on me, and he tested it and it does the same shiny check.

This would make it possible to still have shiny Zekrom\Reshirams while thwarting people attempting the obvious - modifying the ID\SID so the PID would be shiny.

Click to expand...

Then again, they didn't do that with Kyurem, only with Reshiram, Zekrom and Victini. Resh/Zek have their IVs/Nature changed every time you face them even if they don't respawn, and yet they cannot be shiny; Game Freak actively made them not to, as it seems.

Game Freak went to a lot of trouble to encrypt the date\time\MAC Address for the non-C-Gear seeds. But no amount of encryption can stop someone with a debugger. :)

tl;dr We can now predict non-C-Gear seeds, given a date\time\DS MAC address. This will be incorporated into RNG Reporter within the next day or two, and there will be a short beta period to make sure this works perfectly for real carts.EDIT: Apparently not quite yet, there are still some issues.

Non-C-Gear seeds are MUCH easier to work with than the C-Gear; you don't have to get millisecond-precision timing, all you need is to hit the right time down to the second. What's more, the same seed is used for both RNGs, so both IVs and nature\shininess\etc. can be predicted.

This isn't so much encrypting the number as it is putting each pair of bytes in reverse order.
Example:
[COLOR="Red"]AD[/COLOR][COLOR="Blue"]53[/COLOR][COLOR="Orange"]59[/COLOR][COLOR="#2e8b57"]58[/COLOR]
becomes
[COLOR="#2e8b57"]58[/COLOR][COLOR="Orange"]59[/COLOR][COLOR="Blue"]53[/COLOR][COLOR="Red"]AD[/COLOR]

This is done to 16 4-byte numbers, which are strung together to make the SHA-1 message. Thankfully, 12 of these numbers are constant (at least, I hope they stay that way). The rest of the values are the date, time, and the two halves of the MAC address.

Also note that Date\Time is stored in a different number format than the last gen. This will be covered in another post.

Code:

02215F30, 0221602C, 0221602C, 0221602C -> 305F2102, 2C602102, 2C602102, 78602102
02216078, [ DSID ], [MACpt1], [MACpt2] -> 78602102, ????????, ????????, ????????
[ Date ], [ Time ], 00000000, 00000000 -> [b]????????, ????????, 00000000, 00000000[/b]
00002FFF, 00000080, 00000000, A0010000 -> FF2F0000, 80000000, 00000000, 000001A0
Note: I haven't yet determined how exactly the two parts of MAC address is placed, since No$GBA has a set MAC address of 0.
EDIT: I have since discovered that one of the inputs is actually some ID unique to the DS. I hope this won't be too difficult to find without an AR.
Final message:
305F21022C6021022C60210278602102786021023E0318000000C3310709BF16????????????????????????????????FF2F00008000000000000000000001A0

Encrypting the Encryption with SHA-1(Move your mouse to reveal the content)Encrypting the Encryption with SHA-1 (open)Encrypting the Encryption with SHA-1 (close)

Copied from Wikipedia. The message-generation step is not included because we did that in the previous step.

Jumbling up the SHA-1 Hash(Move your mouse to reveal the content)Jumbling up the SHA-1 Hash (open)Jumbling up the SHA-1 Hash (close)

Same reversing of values as in step 1.

Code:

For each 4-byte value in the SHA-1 hash, put each pair of bytes in reverse order.
Example:
[COLOR="Red"]AD[/COLOR][COLOR="Blue"]53[/COLOR][COLOR="Orange"]59[/COLOR][COLOR="#2e8b57"]58[/COLOR]
becomes
[COLOR="#2e8b57"]58[/COLOR][COLOR="Orange"]59[/COLOR][COLOR="Blue"]53[/COLOR][COLOR="Red"]AD[/COLOR]

Generating the Final Seed(Move your mouse to reveal the content)Generating the Final Seed (open)Generating the Final Seed (close)

01010101 for 1/1/01,
02010102 for 1/1/02,
03010103 for 1/1/03,
04010104 for 1/1/04,
+1
06010105 for 1/1/05,
00010106 for 1/1/07,
01010107 for 1/1/07,
02010108 for 1/1/08,
+1
04010109 for 1/1/09,
05010110 for 1/1/10,
06010111 for 1/1/11,
00010112 for 1/1/12.
+1
02010113 for 1/1/13
...

05010110 for 1/1/10, 06010111 for 1/1/11, 00010112 for 1/1/12, 02010113 for 1/1/13
06020110 for 1/2/10, 00020111 for 1/2/11, 01020112 for 1/2/12, 03020113 for 1/2/13
00030110 for 1/3/10, 01030111 for 1/3/11, 02030112 for 1/3/12, 04030113 for 1/3/13
01040110 for 1/4/10, 02040111 for 1/4/11, 03040112 for 1/4/12, 05040113 for 1/4/13
02050110 for 1/5/10, 03050111 for 1/5/11, 04050112 for 1/5/12, 06050113 for 1/5/13
03060110 for 1/6/10
04070110 for 1/7/10
05080110 for 1/8/10
06090110 for 1/9/10
00010110 for 1/10/10

00310110 for 1/31/10
01010210 for 2/01/10

So far it looks like XXDDMMYY. Year does something to the XX area.

It's screwy every 4 years, changing from it's 0 to 6 pattern by increasing 1. Doesn't do it for changes in months or days, as far as I could see. Only difference is year separation. I can't think of a particular formula for it but it is an easy pattern.

I know this is DS-specific because we get the same values regardless of which game I put in. This also explains why mattj and I couldn't get the same seed with the same date\time\MAC address way back when.

I really hope this is something we'll be able to find easily without an AR, like the Nintendo WFC ID.

EDIT, response to above: I get the same seed with completely different save files.

It looks like regular seeds are also partly dependent on some ID that is unique to each DS. As far as we know, this ID can't be retrieved by anything except an AR (and so far Kaphotics hasn't been successful in making a code for that).

However, since this ID is only one 32-bit value, it's feasible to brute-force every possible combination and find this ID, so long as you know the seed for a particular time\date\MAC address. (I wrote a program for determining this seed a few pages back, but I've found it's a little buggy and won't be fixing it until I integrate it into RNG Reporter.) It's a process that will take hours, maybe even a day or two to complete, but once you have that ID you can predict IVs (and more importantly nature\ability\shininess, which C-Gear seeds can't do) for any date\time, for that DS.

This is going to be a pretty complex process, so I'll make sure RNG Reporter 9.0 will guide the user through it, step by step. But I'm swamped this week, so don't expect to see progress on it until the end of next week. In the meantime, I'll see if I can find time to get RNG Reporter 8.4 out in the next day or two. I won't be posting any guides for it, though - I expect the people who have been beta testing it to help. :)

the logic behind it is that it checks 02FE36CC for 67452301 and when that address is equal to that value it will write the value at 02FE36AC to the Dx data register. once that is done, D6 invokes that Dx register to write the 02FE36AC value to a specified address. It would have to be broken up into a pair of 16-bit parts for use in the actual game, but i just want to get it working first.

e: \/\/\/ it took 5 days on a fairly powerful server 2008 R2 machine running nothing but DHCP and RNG reporter and was set to give precedence to running programs not background services.

e2: kaph's is organized, but here's the raw csv if someone wants it for whatever reason:

I don't know if this has been mentioned earlier, but I've been using the same c-gear seed for catching and I have gotten different pokemon on the same frame IVs. I'm doing a frame 3 spread to learn the RNG on gen 5, because there's no advancement involved for IVs, but the encounter slots are definitely not related to the IV frame. Caught two different pokemon on the same seed in the same cave, same position using sweet scent.

I don't know if this has been mentioned earlier, but I've been using the same c-gear seed for catching and I have gotten different pokemon on the same frame IVs. I'm doing a frame 3 spread to learn the RNG on gen 5, because there's no advancement involved for IVs, but the encounter slots are definitely not related to the IV frame. Caught two different pokemon on the same seed in the same cave, same position using sweet scent.

Click to expand...

No surprise there. If wild encounters were based off the IVRNG, you could walk for ages without getting one, because walking only advances it every 128 steps.

Since you're using the C-Gear, which advances the other RNG at a slow and steady rate, the Pokemon you encounter will change depending on how long you wait.

Can't see it flashing to 000X for each IV call or the shifting (too fast for 1 FPS), but we know it does that.

Seems like the C-Gear is turned off temporarily when the event is going, and is then re-enabled (thus re-seeded) after the event (rainy) stops. It's funny how it is raining when it is cold enough to snow, guess it was an oversight when the game was made :P

Restating it in a RNG-wise approach:

IVs are generated RIGHT as the rain lets lets up. The rain lets up a few seconds after the roamer flies off the screen. So IV's are definitely easy to reset for, but nature and shiny (when we get there) will be nigh impossible at this location on a cart, unless you are extremely extremely extremely persistent (and lucky). It's still an absolute crapshoot because of the rain.

Since respawning hasn't really been tested (haven't seen any info on it), I'd assume it's also respawned after beating the elite four like last gen. But until then...

still getting this confirmed, but I was able to get this value to change depending on how fast I dismissed the dialogue. This location had the PID of the roamer I caught earlier on a previous save. There's another location that doesn't always show it (02271118).

0223D518 is NOT the memory location for Black's Roamer. It is in another location. I loaded my white active roaming save and the PID did show up in this location, but doing the event with an unactivated event save on black instead of white had it at a different location.

This kind of hints the possibility of having two roamers, we'd probably get both roamers in gray, hopefully :)

The PID is kept in the save obviously, but it is encrypted. In the memory it's in the same region as the egg PID dump (0223EBFC), but this value isn't kept on saving (PID not saved duh)

IVs are generated RIGHT as the rain lets lets up. The rain lets up a few seconds after the roamer flies off the screen. So IV's are definitely easy to reset for, but nature and shiny (when we get there) will be nigh impossible at this location on a cart, unless you are extremely extremely extremely persistent (and lucky). It's still an absolute crapshoot because of the rain.

Click to expand...

What we need to do is figure out the rate at which the rain advances the PIDRNG, so it's feasible for someone using non-C-Gear seeds and a timer. The only problem is we don't have a way to verify the seed, so you'd have to track down the roamer and catch it to check.

There's a guy who gives you a random fossil once a day, maybe that could be used to check. Assuming there are no other NPCs between the roamer and flying off to the fossil guy.

Still 60 times per second. However the rain lets up at different spots and starts slowly at times (one raindrop at a time).

You'd have to calibrate for doing the roamer, to see what frame you innately hit while going at a precise (timed) pace.

There's no moving NPCs in the building, so that's a plus.

=====

Takes around 25 seconds to do the event, with the PID being generated somewhere around the (453-465) frame from the initial seed. Carried out in Spring, as there is no rain until the screen flashes yellow.

Does using an AR give you a different seed than you would get without using it?

I plotted out the common MTIVRNG seed that shows up for each second on 10-25-10 from 00:01:22 - 00:02:16 while searching for good non-CGear seeds / frames. I did this by resetting 4 or more times on each second, then checking to see what MTIVRNG value the Check Code gave. In my personal experience, one MTIVRNG value would show up very, VERY consistently (90+%) and then there would be like 1 or 2 or 3 other "tangent" MTIVRNG values that I couldn't explain. I documented this in detail an earlier post in the RNG Research thread.

In order to see if using an AR soemhow gives different seeds than you would normally hit without using an AR, I'm going to:

1) Save my game on my surfer in Hodomoe City.
2) Start my game on the DS Startup Screen without an AR on 10-25-10 at 00:01:49 (which is smack dab in the middle of the consecutive seconds that I looked at).
3) Sweet Scent and Masterball a Pururiru.
4) Repeat this maybe 10 times
5) Stick my AR in and check the IVs.

If the IVs show up as the first 6 frames on or around 10-25-10 00:01:49, then it probably doesn't make a difference. If they don't... 10 resets is a pretty large sample size in my experience. In all of my time trying this, tangent seeds usually only show up... 10% of the time max... something weird would be going on...

Hide(Move your mouse to the hide area to reveal the content)Show HideHide Hide

Well... I Reset on 4 different seconds, and while the IVs I got were consistent within themselves (as expected) none of them matched anything within 10 seconds of what I got while using an AR (unexpected). I suppose it does make a difference.

Does using an AR give you a different seed than you would get without using it?

...

Well... I Reset on 4 different seconds, and while the IVs I got were consistent within themselves (as expected) none of them matched anything within 10 seconds of what I got while using an AR (unexpected). I suppose it does make a difference.

Click to expand...

I wanted to let you know, mattj, that the AR only seems to affect non C-Gear seeds. It appears that when the C-Gear starts up it "overides" anything the AR codes did where as the AR codes may have an affect without the C-Gear...that is something at least.

Well the C-Gear seeds don't set the PID RNG, they only reseed the MTRNG with the new seed. ~~When Bond tested to see if freezing these date/time locations at startup would give the same non C-Gear seed, it did not.

We had trouble getting the code to work because the AR code isn't fast enough to grab the value correctly so it had to be achieved differently.

This unique ID is taken from two places in the memory, not from the game but from the DS hardware. Since there is an AR inserted into the mix, this value will inadvertently be different. Thus you have different initial seeds.

With the BWSeedFinder (implemented into Reporter) you'd get your initial seed without an AR, and then you could get your unique ID. Then seeds :)

we're still experimenting. if you have a copy of white and an AR, say something.

e: yeah, i tried freezing date, time, and delay with the internal memory freezing function, and the seeds still kept changing.

e2: my original code was correct, but it didn't work because of 2 factors:

1. the ar isn't quite fast enough

2. the ar usually only works in ARM7 and in this case the memory region 02FE36AC and 02FE36CC are located in is different between ARM7 and ARM9. it had to be hooked into ARM9 via assembly and then pull the value out.